HIGHApt
Verified
United States / Allied Nations

UNC3886 Linked to VMware vCenter Exploitation Campaign Targeting Defense Sector

Sunday, March 15, 2026 at 08:00 AM UTC·Source: Mandiant / Microsoft

Updated: Monday, March 16, 2026 at 12:00 PM UTC

Executive Summary

UNC3886 exploits known VMware vCenter vulnerabilities to deploy VirtualPita and VirtualPie backdoors across defense contractor virtualization infrastructure.

Analysis

UNC3886 has been observed exploiting patched VMware vCenter Server vulnerabilities at organizations that failed to update. The group deploys VirtualPita and VirtualPie malware on ESXi hypervisors, operating below the OS layer where EDR cannot detect them. Current campaign targets US and allied defense industrial base companies managing classified workloads.

Timeline

Discovered
Feb 20, 2026
Exploitation Detected
Feb 20, 2026
Published
Mar 15, 2026

Indicators of Compromise (2)

CVE (2)
CVE-2025-22224
NVDMITRE CVE
CVE-2025-22225
NVDMITRE CVE
Source Attribution

Originally published by Mandiant / Microsoft on Mar 15, 2026. Verified by: Mandiant, Microsoft, CISA.

Related Threats

LOWApt

Cloudflare’s new CMS is not a WordPress killer, it’s a WordPress alternative

Cloudflare on Wednesday rolled out EmDash, which it described as “the spiritual successor to WordPress.” The security vendor positioned EmDash as a far more secure site building tool that avoids the extensive cybersecurity problems with WordPress plugins . But the Cloudflare claims go far beyond cybersecurity issues. The vendor is arguing that the very nature of websites in 2026 is sharply differe

CSO Online
MEDIUMApt

Apple Rolls Out DarkSword Exploit Protection to More Devices

The DarkSword exploit kit has been used by both state-sponsored hackers and commercial spyware vendors. The post Apple Rolls Out DarkSword Exploit Protection to More Devices appeared first on SecurityWeek .

SecurityWeek
HIGHApt

New Whitepaper: Stealthy BPFDoor Variants are a Needle That Looks Like Hay

Executive Overview Advanced persistent threats (APTs) are constantly and consistently changing tactics as network defenders plug holes in defenses. Static indicators of compromise (IoCs) for the BPFDoor have been widely deployed, forcing threat actors to get creative in their use of this particular strain of malware. What they came up with is ingenious. New research from Rapid7 Labs has uncovered

Rapid7